Microsoft has claimed that latest assaults exploiting two vulnerabilities within the PaperCut print administration software program are doubtless the results of a Clop ransomware affiliate.
The 2 bugs in query are CVE-2023–27350 – a crucial unauthenticated distant code execution flaw – and CVE-2023–27351 – a excessive severity unauthenticated data disclosure flaw. The previous has a CVSS rating of 9.8.
After being notified by Development Micro, PaperCut alerted customers final week that the vulnerabilities have been being exploited within the wild and urged clients to replace their servers instantly.
Microsoft Menace Intelligence yesterday attributed latest assaults exploiting the bugs to “Lace Tempest,” a risk actor it says overlaps with FIN11 and TA505. FIN11 is linked to the notorious Clop ransomware gang and the Accellion FTA extortion marketing campaign, whereas TA505 is reportedly behind the Dridex banking Trojan and Locky ransomware.
Learn extra on Clop ransomware: Raspberry Robin Worm Actors Linked to Clop, LockBit Ransomware Teams.
Also called DEV-0950, Lace Tempest is a Clop ransomware affiliate that has beforehand been detected utilizing GoAnywhere exploits and Raspberry Robin malware in ransomware campaigns. Microsoft mentioned the risk group exploited the PaperCut bugs in assaults as early as April 13.
“In noticed assaults, Lace Tempest ran a number of PowerShell instructions to ship a TrueBot DLL, which related to a C2 server, tried to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service,” Microsoft added in a tweet.
“Subsequent, Lace Tempest delivered a Cobalt Strike Beacon implant, performed reconnaissance on related techniques, and moved laterally utilizing WMI. The actor then recognized and exfiltrated information of curiosity utilizing the file-sharing app MegaSync.”
Microsoft added that different teams may additionally be exploiting the 2 PaperCut vulnerabilities within the wild, noting that some intrusions had led to deployment of the prolific LockBit ransomware.
